Murugiah Souppaya and Tim Grance of NIST count on virtualization to ease FDCC testing.
Jan 23 2010

Dynamic Duo?

FDCC and desktop virtualization have matching efficiency and security goals.

For federal agencies and contractors, virtualization has made testing for a more secure, uniform desktop and notebook configuration as easy as downloading a single file. Virtual centrally controlled desktop applications could bolster federal computer security efforts in the future.

In the last two years, the National Institute for Standards and Technology (NIST), along with the Department of Defense, has developed and deployed the Federal Desktop Core Configuration (FDCC). The initiative aims to make federal Windows XP, Vista and Internet Explorer 7 computers less vulnerable to compromise and easier to manage.

While that massive effort was getting under way, the concept of virtualization of desktop computers and servers was sweeping through the IT world at large, reducing support costs by centralizing and standardizing capabilities across organizations. It’s not surprising that virtualization has played an important role in FDCC testing by reducing costs and complexity. There’s more promise ahead for the two, according to some experts.

Virtual Reality

To support FDCC, NIST provides Microsoft Virtual PC hard disks that agencies can use to more quickly and easily test and migrate to new software and network technologies, as well as streamline their deployment. Downloadable baseline files dramatically reduce costs by providing a central reference for testing and measuring progress so other organizations don’t have to create and maintain their own baseline, says Tim Grance, program manager for the cyber and network security program in NIST’s Information Technology Laboratory.

Exactly how much savings is difficult to determine, but Grance says it’s substantial. The labor required for a single software implementation at an agency consumes time and resources. With a common, uniform starting point for that testing, the resulting costs and labor can be streamlined.

Martha Young, principal and CEO at Nova Amber consultancy and co-author of The Case for Virtual Business Processes, says desktop virtualization puts the minutia of IT management in one place, rather than spreading it out to individuals. That saves substantial time and resources. In the case of huge networks, savings can compound exponentially. “Patches and fixes are done at the macro level, not on the micro level, for instance,” she says.

5 million: Estimated number of desktop and notebook computers FDCC covers

Source: Microsoft

It’s this kind of efficiency that might infuse the FDCC effort in the future, Young adds.

The Army Golden Masters desktop virtualization program offers a glimpse of how the technology can provide a flexible yet secure platform across disparate operating systems. AGM employs virtualization to design baseline configurations for specific OSes and associated core application libraries to support desired functionality while maintaining system security and stability, according to Shirley J. Dixon, program manager for the  Army Golden Master Program, NETCOM/9th SC(A).

“This defined baseline is highly dependent upon the network architecture that supports an AGM baseline OS,” she says. “For example, a specific function or operation may be dependent upon the configuration of the local Active Directory service, Exchange e-mail service, or a web server hosting an application.” 

Today, the greatest challenge facing AGM is the disparate nature of the existing Army infrastructure, Dixon says. “These differences may include, but are not limited to, variations in server and desktop configurations, application interactions and dependencies, network architectures, or network management utilities and processes.”

Efficiency Expert

The virtual machines NIST uses in FDCC provide efficiencies. Although as large as 3 to 4 gigabytes, the NIST file instantly provides an FDCC-compliant machine that agencies can test against when evaluating test third-party software to ensure compliance, says Grance. “You don’t have to come up with a clean system, patches, download settings, or apply those settings,” he says. The virtual hard disk decreases workloads and provides the optimal environment for performing interoperability tests, he adds.

“We have set up a virtual test bed that includes 20 versions of antivirus software,” says Murugiah Souppaya, a computer scientist in NIST’s Information Technology Laboratory. “We can scan an infested system with 20 versions of anti-malware without setting up 25 physical individual systems.”

Virtualization capabilities in FDCC could, and should, expand, says John Gilligan, president of The Gilligan Group and former CIO for the Air Force. Gilligan is a driving force behind FDCC. Both have similar aims — device and software control residing at remote locations with centrally managed functions, he says.

Desktop virtualization does hold promise for FDCC, according to Dixon. “Desktop virtualization could allow a critical application or system that is not FDCC-compliant to operate within a secured 'sandbox' on the FDCC-compliant operating system,” she says. “This would provide a transition path for the application or system to continue to operate without requiring a security relaxation to the overall physical host OS security.”

Ultimately, says Young, “IT has become so complex you’ll never get to a ‘cookie cutter’ approach, but a common baseline is needed.”

Photo: Welton Doby III